infosec4all.com

The problem of identity theft is ubiquitous, with cases being discovered every day from countries of European Union through Canada, and Australia. Without question, United States remains the most significantly affected by this crime. As a result, most of the research and publicity focuses on this country.

There is no single factor that makes identity theft possible. Not only do the factors change through time, they also differ from country to country. I call the set of specific factors and environments that create fertile ground for committing identity theft identity theft enablers or simply enablers. The most significant enablers specific to the United States are examined here in no particular order.

Credit reporting agencies
The credit reporting system in the United States is the most complete set of information on consumers in the world – far more thorough than any government census. (Sullivan, 2004) The original purpose of the system was to help lenders gather enough information about customers to assess their ability to pay off the loans. Today, the multibillion dollar industry consists of three credit reporting agencies: Equifax, TransUnion, and Experian. They sell credit history information on anyone legally living in the United States to anyone willing to pay for such information. Interestingly enough, the biggest beneficiaries from identity theft are not the criminals but the three reporting agencies, with the credit monitoring industry alone making $900 million, with 20% annual growth. (Dash, 2006)

Based on the wide range of credit information with estimated two billion records monthly growth (Sullivan, 2004) and complex formulas known only to those three companies, each consumer is assigned a credit score – a number that indicates a consumer’s credit worthiness – a number that basically decides on behalf of lenders whether consumer can get a loan and under which terms. The system is geared toward facilitating the growth of the credit industry and its own protection, and not protection of individual customers. In that regard, as long as the applicant’s credit application indicates good chances for timely repayment, the request is granted regardless of who actually submits the application and receives the money. As long as the inaccurate information does not hurt the lenders, those companies do nothing to improve the system, in spite of decades-long problems with accuracy of the reports. (Sullivan, 2004)

Social security numbers
The growth of bureaucratic state in the first half of the twentieth century created a need for a system of public records that lead to creation of the Social Security System in 1935. The system was intended to track individual employees’ earnings and therefore each citizen was assigned a unique, nine digit identifier known as Social Security Number. (Solove, 2006) Neither the social security number nor the social security card was intended to be used for identification purposes. The first cards even carried the inscription “NOT FOR IDENTIFICATION”. Contemporary social security cards do not bear picture or any other identifying information except for the name of the holder and social security number itself. Unfortunately, the importance of social security numbers and their use for identification changed significantly within a single century. According to the US Senate (Thomas, 2004) the social security number is one of the main tools used to steal identity, due to its use for purposes not intended by the original design.

Social security cards and more specifically social security numbers represent one of the main breeder identifiers that criminals use to initiate the crime of identity theft. In many instances, social security number together with birth certificate is used by various agencies to establish an initial identity and issue an identification bearing photograph or other biometric data.

US social security numbers are probably the most guarded pieces of information by individuals and at the same time widely available and frequently asked for and used in every day’s life.

Instant credits
This term was coined by the director of the Federal Trade Commission in 2002 (Sullivan, 2004) but basically describes an ability, available to millions of Americans to walk into an electronics store or a car dealership and legally walk out with goods worth tens of thousands of dollars just minutes later. When even mortgages are approved within similar time frame it is simply not possible to do better research on an applicant’s background. (Sullivan, 2004) In order to boost sales, merchants, based on credit scores provided by credit reporting agencies, approve instant credits to customers who can prove their credit worthiness, not their identity.

Convenience checks
Convenience checks are cash like instruments mailed to cardholders that allow them to transfer balances from one credit card issuer to another with a stroke of a pen. (Sullivan, 2004) Unlike cards, in most cases the use of convenience checks does not require any authorization, and the checks are not covered by a $50 liability limit. All customers are required to do is sign the check and mail it back to the issuer, or even submit it online.

Functional literacy
Organization for Economic Cooperation and Development defines functional literacy as ability to understand and employ printed information in daily life. According to the National Institute for Literacy 50% of the adult population in the United States is considered illiterate, with 44 million that cannot read a newspaper or fill out a job application (compared to 24% in the United Kingdom).  This factor facilitates growth of identity theft by impeding customers’ ability to protect themselves from daily attacks against their privacy.

Read the rest of this entry »

Estimating the real cost of identity theft might not be as easy as it first appears. As I already mentioned, without a proper definition of identity theft it is not possible to determine the extent of the crime, and in turn, without estimates of the extent of identity theft it simply impossible to estimate the real cost of the crime. Newman et al (Newman, 2006), quoting a Government Accountability Office (GAO) report from 2002, state that there is no comprehensive or agreed-upon way to estimate the economic cost of identity theft. This post will provide an overview of various costs associated with the crime and imposed on, not only industry and individuals, but also on the government. As we have seen in the previous chapter, not all businesses suffer from this crime.

Willox et al (Willox, 2002) suggest that identity theft statistics in 2002 were just a tip of the iceberg, and conservatively estimated loss of identity theft to be at least tens of billions of dollars. According to the United States Treasury Department’s own research, cyber criminals (although it is not clear what exactly is meant by this term) made more money than illegal drug traders in 2005. (Gordon, 2006) Javelin Strategy and Research report suggests that the annual cost for consumers alone reaches $52.6 million. (Van Dyke, 2005)

The following is a crude breakdown of the costs associated with identity theft.

Read the rest of this entry »

To describe ‘hot’ products – the items that are most likely to be stolen, Ronald Clarke, coined the term CRAVED in a law enforcement training manual produced for the British Home Office (Clarke, 1999). The acronym stands for five properties the item should posses to be ‘hot’: Concealable, Removable, Available, Valuable, and Enjoyable. Setting aside the argument that identity cannot be stolen, identity having properties of information, neatly fits into these categories. As it does not have physical properties, it can easily be concealed. It is not removable but it is multipliable which does not diminish this property. Availability of identifying data is immense. Its value for criminals will be discussed later. And at last, stolen identity can be enjoyed in the following ways (Perl, 2003): direct financial benefits, non financial benefits, and misuse of legal records.

Direct financial benefits are probably the most obvious. It occurs when a criminal directly obtains monetary instruments from the victim or in her name.

Non-financial identity theft might ultimately lead to monetary benefits but it starts with utilities frauds or obtaining of government documents or benefits in victims name that are later used for illegal border crossing or obtaining a job. Another common type of non-financial benefit is revenge.

The third reason criminals would steal identity is to evade legal sanctions and criminal records. (Perl, 2003) According to the same author, this type of crime is the worst case of identity theft. According to Newman (Newman, 2005) this is the major reason for stealing another’s identity. This category also includes growing number of cases where identity theft was used for supporting terrorist activities.

Finally, the concept of opportunity has also been used for explaining crime. Although, its relation to identity theft has not been formally researched, Newman (Newman, 2005) suggests a strong correlation, considering identity to be information that in turn can be perceived as a ‘hot product’.

How does it take place?
In order for identity crime to occur, the criminal must obtain personal identifiers of a person with a good credit or no criminal history, who later becomes a victim. The criminals use various methods including recruiting individuals with access to personal information, stealing documents from companies that store such information, dumpster diving, eavesdropping, shoulder surfing, burglary, stealing mail, phone scam, phishing, and pharming. Although, as we will see, use of technologies does not correlate with increase in identity theft, computer users are also targeted. According to one source, in the last couple of years, there has been a dramatic increase in number of collection methods, with over 65% increase only in key logging (Gordon, 2006) – method in which criminals use stealth key logging software or devices to secretly record key strokes that later reveal various personal information entered into victim’s computer. Personal identifiers can also be purchased on the street or Internet for the going rate of between $25 and $50. (Newman, 2005)

Stolen personal identifiers are then altered to reflect characteristics of the new ‘owner’. Development of desktop publishing technologies and their affordability also allow criminals to produce high quality replicas, while organized crime can use professional equipment that makes fakes ‘better’ than originals. It is also possible for criminals to obtain genuine identification documents through fraudulent methods like using ‘insiders’ at identification document issuing agencies. (Porter, 2005) The identity information bearing instruments obtained in this step are also known as ‘breeder documents’ since they allow criminals to proceed to the next step – obtaining false identification documents like birth certificate, social security card, drivers’ licenses, passports, voter registers, and badges. (Porter, 2005) These documents now allow criminals to further develop their newly assumed identities by creating new life history through rental of mail boxes, storage units, apartments, and vehicles, opening new accounts, and activation of telephone services and utilities, (Porter 2005) – all with timely and accurate payments just like any innocent citizen would do.

The next step – exploitation
Identity Theft is linked to many global crimes, including terrorism, money laundering and financial crimes, drug trafficking, alien and weapons smuggling. (Gordon, 2004) Once the criminal steals identity or creates a false identification document, he is able to create a fraudulent identity for himself which allows him to cross borders and also provides him with access to such identification documents as birth certificates, drivers’ licenses, and social security cards, that in turn create greater access by allowing him to procure employment, credit cards, residency and citizenship, etc. (Gordon, 2004)

Identity theft crimes are often facilitators for crimes that lead to money laundering, mortgage and insurance frauds, computer crimes, weapons and narcotics trafficking, homicide, terrorism, and illegal immigration, (Porter, 2005). As an example, Bruce Schneier (February 2007) suggests that criminals or terrorists could use stolen identities to avoid TSA screenings while carrying on attacks or other crimes. The magnitude of crimes committed with help of identity theft is best captured in Willox’s claim that identity theft is not a tool of a con artist anymore; it is indigenous to any criminal enterprise. (Willox, 2002)

The Other Side of Exploitation
One must not forget that it is not only criminals and terrorist who exploit identity theft. Financial institutions also benefit from various legal requirements by transferring the costs to consumers through disproportional increase in service fees. (Newman, 2005) On the other side there is a fast growing industry that legally profits from selling various services ranging from financial insurance, privacy protection, to credit monitoring. Currently, no supporting research exists that could back up this statement. Only anecdotal cases suggest the existence of this multi million dollar market niche.

Read the rest of this entry »

For the first time, identity theft was recognized as a crime at the state level – in Arizona in 1996. (Newman, 2005) The federal penalty code was amended in 1998 to introduce the Identity Theft Assumption and Deterrence Act (U.S. Public Law, 1998). This act was again amended in 2004, and the amendments are still in force. Today, with the exception of Colorado, Vermont, and US Virgin Islands, all states and US territories have special laws dealing with identity theft. This is especially important since most identity theft prosecutions and majority of law enforcement takes place at the state level (Perl, 2003). At the same time each state’s identity theft law is unique (Perl, 2003) which makes things a little bit more difficult.

Legal definition
Acting as an umbrella, the federal law set standards for all other states. This law, with subsequent amendments defines the identity theft in the following way:

[One is guilty of identity theft if...] knowingly and without lawful authority produces an identification document, authentication feature, or a false identification document (hereafter identification document); [...] transfers an identification document,[...] knowing that such document [...] was stolen or produced without lawful authority;[...] possesses with intent to use unlawfully or transfer unlawfully five or more identification documents[...] possesses an identification document, [...] with the intent such document [...] be used to defraud the United States;[...] produces, transfers, or possesses a document-making implement [...] with the intent such document-making [...] will be used in the production of a false identification document or another document-making implement [...] which will be so used; [...] possesses an identification .. that is or appears to be an identification document [...] of the United States which is stolen or produced without lawful authority knowing that such document [...] was stolen or produced without such authority;[...] transfers, possesses, or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, or in connection with, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law; or [...] traffics in false authentication features for use in false identification documents, document-making implements, or means of identification[...]

Most definitions of identity theft, both legal and academic, can be summarized as unauthorized use of someone else’s identities. Newman at al define identity as a psychological construct used by individuals to refer to themselves as ‘a person’ and used by others to identify themselves as unique or particular individuals. (Newman, 2005) Other scholars reject the notion of identity as being no longer rationed to one per physiological specimen and adopt the term human identification as association of data with a particular human being. (Clarke, 1994) The science of information security, for purposes of dealing with authentication, or confirmation of someone’s identity defines identity as a combination of three factors – something we are, something we know, and something we have. The legal language cleverly avoids this problem by using the term identification or means of identification which, in the federal law, is defined as:

[...] any name or number that may be used, alone or in conjunction with any other information, to identify a specific individual, including any [...] name, social security number, date of birth, official State or government issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer identification number; [...] unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation; [...]unique electronic identification number, address, or routing code; or [...] telecommunications identifying information or access device [...]

At the federal level, a separate law (Title 18, Chapter 1029 Fraud and Related Activity in Connection with Access Devices) addresses credit card fraud. The two federal laws clearly separate identity theft from credit card (access device) fraud. This clearly supports my argument that credit card fraud is not identity theft, or to be more specific, some credit card frauds can be associated with identity theft but some (if not most of them) can not not. Although it might sound as a nuance, it is credit card fraud that most seriously distorts the course of action for prevention and fight against identity theft.

The federal act defines an ‘access device’ as:

[...] any card, plate, code, account number, electronic serial number, mobile identification number, personal identification number, or other telecommunications service, equipment, or instrument identifier, or other means of account access that can be used, alone or in conjunction with another access device, to obtain money, goods, services, or any other thing of value, or that can be used to initiate a transfer of funds (other than a transfer originated solely by paper instrument); [...]

And makes it a crime to:

[...] knowingly and with intent to defraud produce, use, [...] traffic in, [...]poses[...] counterfeit access devices; knowingly and with intent to defraud effect transactions; [...] with [...]access devices issued to another person [...]receive payment [...]

State laws define identity theft in very similar way, except for two differences – the penalty for the crime, and treatment of credit card fraud. With the exception of three states that still do not have identity theft laws all other states have amended their criminal codes to recognize identity theft. Twenty four of them use the term identity theft to describe the crime, seven states call it identity fraud, while others use a range of less specific terms such as criminal impersonation, taking identity of another person, false personation, identity deception, misuse of identification, unauthorized or fraudulent use of personal identifying information, and identity crime. Only the state of Nebraska clearly differentiates between identity theft and credit card fraud while others did not follow the federal example and separated the two. Most states completely failed (or did it intentionally) to address the difference between two crimes, leaving it up to the judges to decide on treatment of the crime. Bibliography section lists state laws that address identity theft and/or credit card fraud.

Two important flaws are worth mentioning here as most of the states used federal identity theft law as a template: failure to clearly define identity at federal level, and failure to introduce separate credit card fraud laws at state levels lead to a situation where credit card frauds are confused with real identity theft cases.

This review would not be complete without mentioning the third federal law that directly addresses the issues related to identity theft is U.S. Public Law, Title 42, Chapter 408 – Fraud in Connection with the Misuse of Social Security Numbers. As the name suggests, the law focuses on the issues related to misuse of social security numbers and its terms are not relevant for this definition of the crime, but the number itself and its use is. 

Related legislation
In addition to the three laws above that directly deal with and define identity theft, there are a number of federal laws that significantly affect the combat against identity theft, and are relevant for further actions to fight this crime. In fact, according to the Identity Theft Literature Review (Newman, 2005) there are 180 federal statutes that prescribe the same conduct under the Identity Theft Act. According to Newman (Newman, 2005) the three most important ones laws are:

The Fair Credit Reporting Act (FCRA)
Originally passed in 1970 and last amended in 2003. One of the most significant provisions of this law related to identity theft prevents states from passing more stringent financial privacy rules than federal government.

The Fair and Accurate Credit Transactions Act
Passed in 2003 with sections specifically designed to combat identity theft, it protects consumers’ credits and calls for enhancements in identity authentication.

Gramm-Leach-Bliley Act (GLBA)
Enacted in 1999 it instructs financial institutions to have policies, procedures, and controls to prevent unauthorized disclosure of financial information, and allows consumers to opt-out from having financial institutions disclose their private financial information.

Read the rest of this entry »

Interestingly enough, there is still no strong body of knowledge of the problem of identity theft or a single, well accepted definition of the problem . Instead, there is a range of different views on what identity theft is. As a result, various professionals who deal with identity theft use different terms that describe the same crime and, at the same time, describe different crimes using the same term. Here are some ideas on what should and what should not be considered identity theft, for purposes of both better understanding the problem and carrying out the project research.

First, a few words on confusing and contradicting terminology: The term identity theft itself is an oxymoron – identity is not a possession that can be acquired or lost (Schneier, 2005). Legally, theft is defined as appropriation of property belonging to other with intention of permanently depriving the other, (Webster’s, 1996) while identity is an information, combination of things we are, we know, and we have and therefore, one cannot be deprived of it once it is ‘assigned’ to her at birth. Experts suggest use of more appropriate term – identity fraud. (Schneier, 2005)

In an attempt to define the crime, Gordon et al (Gordon, 2004) define information theft as use of false identifiers, fraudulent documents, or a stolen identity in the commission of the crime. The same author distinguishes between identity fraud and identity theft, where identity fraud includes both the identity theft and cases of creating fictitious identity. The 2006 Identity Fraud Survey prepared for the Federal Trade Commission by the Javelin Strategy & Research (Johannes, 2006) distinguishes the two as well, but defines identity theft (also called true name fraud) as unauthorized use of another’s personal information to achieve illicit financial gain; and identity fraud as unauthorized access to personal information. The same report introduces the concept of synthetic identity fraud – use of fictitious identities. Since both identity theft and identity fraud are widely accepted and used interchangeably in most of the literature, I will use identity theft throughout this series of articles.

The broad classification of identity theft recognizes three different forms of the crime: financial, non-financial, and criminal record identity theft (Perl, 2003), while the Federal Trade Commission, for purposes of tracking the identity theft in the most complete existing database classifies identity theft into three categories: 1) new accounts and other fraud, 2) misuse of existing credit or account number, and 3) misuses of existing credit card or credit card number.

New accounts and other fraud
Crimes in this relatively low occurrence category represent probably the ‘purest’ cases of identity theft and include misuses of victims’ identities to escape law enforcement authorities, obtain employment or other benefits, and visa and passport fraud. These are considered to be the most serious of the three according to the Federal Trade Commission (FTC, 2003) and are characterized by high dollar amount and out of pocket cost, longer detection time, lower discovery by financial institutions and victims’ discovery when contacted by debt collector or law enforcement. (Van Dyke, 2005)

This crime is similar to what Perl described as criminal record identity theft, and is probably best known from widely publicized accounts of Kevin Mitnick’s law enforcement evasion. It is referred to as ‘the purest form of identity theft’ since it best matches academic definitions and leaves little room for questioning whether it can be confused with other crimes. Criminals use identifiers such as name, social security number, address, date of birth, and other identifying information to establish a new identity and once the crime takes place, the criminal impersonates the victim for much longer time than in case of other types of the fraud. It is possible for this type of crime to stay completely undetected since the criminals might try to keep a clean record on their ‘new identity’. New accounts are opened using criminal’s address and paid regularly in order to avoid any unnecessary attention. Criminals use this type of fraud to obtain jobs that would otherwise not be available due to their criminal history, escape criminal prosecution, and engage in illegal immigration.

Misuse of existing non credit or account number
This type of identity theft occurs when criminals get access to various existing accounts (like bank or telephone account) and try to either make money transfers to their own account or change the ownership of the account to their own name. Characteristics of this type are: low dollar loss and out of pocket cost for victims, short detection time, most frequently detected by companies, victims first find out of the crime through company notification and statements monitoring. (Van Dyke, 2005) As Van Dyke suggests, it does not take long for these crimes to be detected since shortly after they take place, victims notice unusual activities on their accounts or experience inability to access account or use the service. Once reported, the victim is released from any liability and reimbursed for possible financial damage.

This type of fraud is not always easy to classify as identity theft. If identity theft in its core represents illegal use of other people’s personal identifiers, the question is when and if getting into victims’ accounts or stealing their telephone represents a theft of identity. Most probably this can only be decided after careful investigation of each individual case and understanding the causes and consequences. As we will se later, this is where the stakeholders start to disagree.

Misuse of existing credit card or credit card number
If the stake holders might slightly disagree whether use of an existing account represents an identity theft, when it comes to misuse of credit cards, opinions differ diagonally. The crime occurs when criminal uses victim’s credit card or credit card number (the same applies to debit cards and other forms of ‘plastic’ means of payment) to make a purchase or series of purchases. The actual cards are either stolen cards or found lost cards. When only the number is used (in so called card not present transactions) they come from various sources, including thefts from company databases, through ‘sniffing’ electronic transactions, or shoulder surfing. The occurrence is easily detected by victims by simply monitoring financial statements. Many banks today successfully employ specialized software that looks for anomalies in card transactions such as payments unusual for the card holder or payments that occur at two distant points within short period of time, and are able to prevent such transactions before they take place.

The most important characteristic of this type of fraud is that once discovered it is easily to prevent it from taking place again simply by blocking the existing card and issuing a new one. This is an automatic process, the card is blocked within seconds after the crime is detected and reported, and no records are left on victims’ credit or criminal file. In the worst case scenario, the victims are hold liable for the first $50 of the stolen amount, but in most cases are fully reimbursed for any damage.

Although even the Federal Trade Commission report (FTC, 2005) agrees that these are the least serious victimizations, these frauds are still included in all reports on identity theft. They tend to negatively affect general understanding of the problem and lead to improper course of action when it comes to prevention and fight against the crime.

Read the rest of this entry »

Contrary to the common belief that identity theft is the plague of the twenty first century attributed to development of modern technologies, this phenomenon has existed for centuries. (Newman, 2005) Various types of identity theft existed long before the ‘age of information technology’. (Perl, 2003) Impersonation is an ancient crime (Schneier, 2007) but since for a long time, it was only the means for committing other, frequently more serious crimes, perpetrators were prosecuted for the ultimate offenses, the problem of identity theft was neglected.

When people started living in organized groups and invented postal services, they started identifying each other by names and numbers. (Newman, 2005) In early days, a plethora of, what is today considered to be private information, was publicly available, and anyone could easily find anyone else’s address, birth date, credit worthiness, or later car plate numbers. More importantly, people tended to spend all their lives within miles from their place of birth and almost everyone knew everyone. Decisions on granting loans and offering jobs was made based on personal recommendations and reputation of the individual established within the local community. Very little harm could be done by using identifiers of another person, who lived far away from the crime scene – with exception of avoidance of prosecution which was again easily detectable. As Schneier suggested, the rise of information-based credentials gave identity theft a modern spin. (Schneier, 2007) It was the late twentieth century that witnessed those new developments. As LoPucki noticed, decline in availability of personal information in the 1970 coincides with the rise of identity theft as we know it today – identity theft with an aim of not only evading the justice but gaining a direct financial benefit. The same author claims that what is known as identity theft today, emerged in the 1980s, becoming epidemic in 1990s (LoPucki, 2003)

It is not known when and who coined the term identity theft for the first time. It is found in only nine articles in the LEXIS database Allnws file from 1980 to 1986. (LoPucki, 2003) It was in 1995 that Postal Inspection Service began tracking mail theft cases that involved fraudulent credit card applications and change of addresses, while Secret Service began tracking cases that involved identity takeover in 1997. (Gordon, 2004) It was the state of Arizona that first recognized the crime in 1996. (Newman, 2005) Very soon the US Government took the problem seriously and introduced the Identity Theft and Assumption Deterrence Act in 1998 followed by establishing of Identity Theft Data Clearinghouse by the Federal Trade Commission in 1999. (Gordon, 2004) Unfortunately, it wasn’t until 2001 and the events of September 11 that society realized the extent to which this crime is involved in commitment of other crimes and even terrorism. (Willox, 2002)

This post presents a very brief history of identity theft in the Untied States, but more importantly shows that the crime is not a plague of the twenty first century as many believe. Recently recognized, it is an ancient, a self sustainable crime only facilitated by, not a byproduct of modern technologies. In spite of the popular belief that Internet is the main driving force behind the identity theft and condicio sine qua non, Perl (Perl, 2003) argues that Internet only impacted the growth (or visibility). Other academic researches of the correlation between modern technologies (including the Internet) and trends in identity theft agree with this statement. The latest report commissioned by the Federal Trade Commission suggests that technologies do not increase the risk of identity fraud, but rather provide the best means for fraud detection. (Johannes, 2006)

As we will see later , it was only recently that identity theft was recognized as a crime. This recognition prompted a more serious research and education, which in turn increased public attention and made a wrong impression about trends in this crime.

Read the rest of this entry »